From: Hangbin Liu <haliu@xxxxxxxxxx> wireguard: disable in FIPS mode Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1940794 Upstream: RHEL Only The cryptos(BLAKE2S, Curve25519, CHACHA20POLY1305) in WireGuard are not FIPS approved. Disable loading the cryptos is a better solution, but the cryptos called by WireGuard are in lib/crypto/ instead of crypto/, which is a little complex to disable. While disabling the WireGuard module is more clear and easier. So let's disable the WireGuard in FIPS mode first. When the issue that loading the lib/crypto/ code in FIPS mode is fixed. We can revert this internal patch. Signed-off-by: Hangbin Liu <haliu@xxxxxxxxxx> diff a/drivers/net/wireguard/main.c b/drivers/net/wireguard/main.c --- a/drivers/net/wireguard/main.c +++ b/drivers/net/wireguard/main.c @@ -12,6 +12,7 @@ #include <uapi/linux/wireguard.h> +#include <linux/fips.h> #include <linux/init.h> #include <linux/module.h> #include <linux/genetlink.h> @@ -21,6 +22,11 @@ static int __init mod_init(void) { int ret; +#ifdef CONFIG_RHEL_DIFFERENCES + if (fips_enabled) + return -EOPNOTSUPP; +#endif + #ifdef DEBUG if (!wg_allowedips_selftest() || !wg_packet_counter_selftest() || !wg_ratelimiter_selftest()) -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/994 _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure